README.md

JaWTh

JWT Authenticator coded in python 3 using Flask. It publishes several end points to manage
users and applications and the corresponding credentials.

How it works?

It stores applications and users. Applications have a name and a secret key for generating
JWT. Users have a username, an encrypted password, and a timestamp of the last login between other
fields. Each user corresponds to an application.

When a user makes a request of login in that application JaWTh compares the passwords,
if the request is valid also signs a JWT with the username, the user uid, and the timestamp.
JaWTh returns this info as token to the client. Then the client will send this JWT
in each request for making any action into the application.

When the application receives the JWT, decodes the token and will apply the required actions
for the user indicated into the token.

Security concerns

The timestamp allows to expire tokens at application level.

Passwords are stored encrypted (of course!).

The secret key for signing tokens should only be known by the encoder and the decoder
(JaWth and the application).

To make changes into JaWTh you must know a password and its own secret key for JWT.

It forces the HS256 algorithm. So clients are not allowed to set the signature
algorithm in the HTTP, with it they cannot set the signature to alg=none.

Possible improvements

For banning users it could make requests to webhooks implemented into the application
target.

It could manage mailing for recovering passwords and confirm accounts. Also sign ups.

It could be an application key for letting them to add and remove users.

Specify CORS by app.

Improve error messages.

Using it

Clients comunicate with JaWTh using HTTP requests to the different end points. It is
required to provide an auth request header with the value jwt <jwt>. Below you
can find examples.

To generate the JWT there are multiple libraries for the most popular programming languages.
jwt.io offers a tool to do it directly on their website.

The JSON to be encoded would be one that includes the JAWTH_KEY into the field
password. If the request requires to senddata the JSON should also include another field
with the field data.

Here is a generated JWT for a request that no requires to send data:

And here one that requires to send data:

Configuring and launching

To configure JaWTht there is a config file into the project root folder. It's not
recommended to change that but to create a new one. To specify the execution of JaWTh
to use that one define a JAWTH_CONFIG environment variable with the path of the
new config file.

Your config file should define the next variables:

DEBUG: Set to False

SECRET_KEY: The JaWTh secret key, the one to use to sign and decode those request
sent to JaWTh.